Wikileaks has released a huge trove of documents apparently taken from the CIA documenting the agency's ability to hack into types of electronic equipment and services including various zero-day exploits to hack into Android and iOS phones, as well as PCs and other assorted hardware such as Samsung smart televisions.

The leaks do not generally reveal the specifics of code or how these exploits were done, nor do they reveal whether they have been used on any foreign actors.

WASHINGTON — In what appears to be the largest leak of C.I.A documents in history, WikiLeaks released on Tuesday thousands of pages describing sophisticated software tools and techniques used by the agency to break into smartphones, computers and even Internet-connected televisions.

The documents amount to a detailed, highly technical catalog of tools. They include instructions for compromising a wide range of common computer tools for use in spying: the online calling service Skype; Wi-Fi networks; documents in PDF format; and even commercial antivirus programs of the kind used by millions of people to protect their computers.

A program called Wrecking Crew explains how to crash a targeted computer, and another tells how to steal passwords using the autocomplete function on Internet Explorer. Other programs were called CrunchyLimeSkies, ElderPiggy, AngerQuake and McNugget.

The document dump was the latest coup for the antisecrecy organization and a serious blow to the C.I.A., which uses its hacking abilities to carry out espionage against foreign targets.

In one revelation that may especially trouble the tech world if confirmed, WikiLeaks said that the C.I.A. and allied intelligence services have managed to compromise both Apple and Android smartphones, allowing their officers to bypass the encryption on popular services such as Signal, WhatsApp and Telegram. According to WikiLeaks, government hackers can penetrate smartphones and collect “audio and message traffic before encryption is applied.”

Unlike the National Security Agency documents Edward J. Snowden gave to journalists in 2013, they do not include examples of how the tools have been used against actual foreign targets. That could limit the damage of the leak to national security. But the breach was highly embarrassing for an agency that depends on secrecy.

Robert M. Chesney, a specialist in national security law at the University of Texas at Austin, likened the C.I.A. trove to National Security Agency hacking tools disclosed last year by a group calling itself the Shadow Brokers.

“If this is true, it says that N.S.A. isn’t the only one with an advanced, persistent problem with operational security for these tools,” Mr. Chesney said. “We’re getting bit time and again.”

There was no public confirmation of the authenticity of the documents, which were produced by the C.I.A.’s Center for Cyber Intelligence and are mostly dated from 2013 to 2016. But one government official said the documents were real, and a former intelligence officer said some of the code names for C.I.A. programs, an organization chart and the description of a C.I.A. hacking base appeared to be genuine.

The agency appeared to be taken by surprise by the document dump on Tuesday morning. A C.I.A. spokesman, Dean Boyd, said, “We do not comment on the authenticity or content of purported intelligence documents.”

In some regard, the C.I.A. documents confirmed and filled in the details on abilities that have long been suspected in technical circles.

“The people who know a lot about security and hacking assumed that the C.I.A. was at least investing in these capabilities, and if they weren’t, then somebody else was — China, Iran, Russia, as well as a lot of other private actors,” said Beau Woods, the deputy director of the Cyber Statecraft Initiative at the Atlantic Council in Washington. He said the disclosures may raise concerns in the United States and abroad about “the trustworthiness of technology where cybersecurity can impact human life and public safety.”

There is no evidence that the C.I.A. hacking tools have been used against Americans. But Ben Wizner, the director of the American Civil Liberties Union’s Speech, Privacy, and Technology Project, said the documents suggest that the government has deliberately allowed vulnerabilities in phones and other devices to persist to make spying easier.

“Those vulnerabilities will be exploited not just by our security agencies, but by hackers and governments around the world,” Mr. Wizner said. “Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”

WikiLeaks did not identify the source of the documents, which it called Vault 7, but said they had been “circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

Get the Morning Briefing by EmailWhat you need to know to start your day, delivered to your inbox Monday through Friday.

WikiLeaks said the source, in a statement, set out policy questions that “urgently need to be debated in public, including whether the C.I.A.’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.” The source, the group said, “wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”

But James Lewis, an expert on cybersecurity at the Center for Strategic and International Studies in Washington, raised another possibility: that a foreign state, most likely Russia, stole the documents by hacking or other means and delivered them to WikiLeaks, which may not know how they were obtained. Mr. Lewis noted that, according to American intelligence agencies, Russia hacked Democratic targets during the presidential campaign and gave thousands of emails to WikiLeaks for publication.

“I think a foreign power is much more likely the source of these documents than a conscience-stricken C.I.A. whistle-blower,” Mr. Lewis said.

At a time of increasing concern about the privacy of calls and messages, the revelations did not suggest that the C.I.A. can actually break the encryption used by popular messaging apps. Instead, by penetrating the user’s phone, the agency can make the encryption irrelevant by intercepting messages and calls before their content is encrypted, or, on the other end, after messages are decrypted.

WikiLeaks, which has sometimes been accused of recklessly leaking information that could do harm, said it had redacted names and other identifying information from the collection. It said it was not releasing the computer code for actual, usable weapons “until a consensus emerges on the technical and political nature of the C.I.A.’s program and how such ‘weapons’ should be analyzed, disarmed and published.”

The codes names used for projects revealed in the WikiLeaks documents appear to reflect the likely demographic of the cyberexperts employed by the C.I.A. — that is, young and male. There are numerous references to “Harry Potter,” Pokémon and Adderall, the drug used to treat hyperactivity.

A number of projects were named after whiskey brands. Some were high-end single malt scotches, such as Laphroaig and Ardbeg. Others were from more pedestrian labels, such as Wild Turkey, which was described by its programmers, in mock dictionary style, as “(n.) A animal of the avian variety that has not been domesticated. Also a type of alcohol with a high proof (151).”

Some of the details of the C.I.A. programs might have come from the plot of a spy novel for the cyberage, revealing numerous highly classified — and, in some cases, exotic — hacking programs. One program, code-named Weeping Angel, uses Samsung “smart” televisions as covert listening devices. According to the WikiLeaks news release, even when it appears to be turned off, the television “operates as a bug, recording conversations in the room and sending them over the internet to a covert C.I.A. server.”

The release said the program was developed in cooperation with British intelligence.

If C.I.A. agents did manage to hack the smart TVs, they would not be the only ones. Since their release, internet-connected televisions have been a focus for hackers and cybersecurity experts, many of whom see the sets’ ability to record and transmit conversations as a potentially dangerous vulnerability.

In early 2015, Samsung started to include in the fine print terms of service for its smart TVs a warning that the television sets could capture background conversations. “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition,” the warning said.

Another program described in the documents, named Umbrage, is a voluminous library of cyberattack techniques that the C.I.A. has collected from malware produced by other countries, including Russia. According to the WikiLeaks release, the large number of techniques allows the C.I.A. to mask the origin of some of its attacks and confuse forensic investigators.

The WikiLeaks material includes lists of software tools that the C.I.A. uses to create exploits and malware to carrying out hacking. Many of the tools are those used by developers around the world: coding languages, such as Python, and tools like Sublime Text, a program used to write code, and Git, a tool that helps developers collaborate.

But the agency also appears to rely on software designed specifically for spies, such as Ghidra, which in one of the documents is described as “a reverse engineering environment created by the N.S.A.”

The Vault 7 release marks the latest in a series of huge leaks that have changed the landscape for government and corporate secrecy.

In scale, the Vault 7 archive appears to fall into the same category as the biggest leaks of classified information in recent years, including the quarter-million diplomatic cables taken by Chelsea Manning, the former Army intelligence analyst, and given to WikiLeaks in 2010, and the hundreds of thousands of National Security Agency documents taken by Mr. Snowden in 2013.

In the business world, the so-called Panama Papers and several other large-volume leaks have laid bare the details of secret offshore companies used by wealthy and corrupt people to hide their assets.

Both government and corporate leaks have been made possible by the ease of downloading, storing and transferring millions of documents in seconds or minutes, a sea change from the use of slow photocopying for some earlier leaks, including the Pentagon Papers in 1971.

LaserGuy wrote:Wikileaks has released a huge trove of documents apparently taken from the CIA documenting the agency's ability to hack into types of electronic equipment and services including various zero-day exploits to hack into Android and iOS phones, as well as PCs and other assorted hardware such as Samsung smart televisions.

The leaks do not generally reveal the specifics of code or how these exploits were done, nor do they reveal whether they have been used on any foreign actors.

WASHINGTON — In what appears to be the largest leak of C.I.A documents in history, WikiLeaks released on Tuesday thousands of pages describing sophisticated software tools and techniques used by the agency to break into smartphones, computers and even Internet-connected televisions.

The documents amount to a detailed, highly technical catalog of tools. They include instructions for compromising a wide range of common computer tools for use in spying: the online calling service Skype; Wi-Fi networks; documents in PDF format; and even commercial antivirus programs of the kind used by millions of people to protect their computers.

A program called Wrecking Crew explains how to crash a targeted computer, and another tells how to steal passwords using the autocomplete function on Internet Explorer. Other programs were called CrunchyLimeSkies, ElderPiggy, AngerQuake and McNugget.

The document dump was the latest coup for the antisecrecy organization and a serious blow to the C.I.A., which uses its hacking abilities to carry out espionage against foreign targets.

In one revelation that may especially trouble the tech world if confirmed, WikiLeaks said that the C.I.A. and allied intelligence services have managed to compromise both Apple and Android smartphones, allowing their officers to bypass the encryption on popular services such as Signal, WhatsApp and Telegram. According to WikiLeaks, government hackers can penetrate smartphones and collect “audio and message traffic before encryption is applied.”

Unlike the National Security Agency documents Edward J. Snowden gave to journalists in 2013, they do not include examples of how the tools have been used against actual foreign targets. That could limit the damage of the leak to national security. But the breach was highly embarrassing for an agency that depends on secrecy.

Robert M. Chesney, a specialist in national security law at the University of Texas at Austin, likened the C.I.A. trove to National Security Agency hacking tools disclosed last year by a group calling itself the Shadow Brokers.

“If this is true, it says that N.S.A. isn’t the only one with an advanced, persistent problem with operational security for these tools,” Mr. Chesney said. “We’re getting bit time and again.”

There was no public confirmation of the authenticity of the documents, which were produced by the C.I.A.’s Center for Cyber Intelligence and are mostly dated from 2013 to 2016. But one government official said the documents were real, and a former intelligence officer said some of the code names for C.I.A. programs, an organization chart and the description of a C.I.A. hacking base appeared to be genuine.

The agency appeared to be taken by surprise by the document dump on Tuesday morning. A C.I.A. spokesman, Dean Boyd, said, “We do not comment on the authenticity or content of purported intelligence documents.”

In some regard, the C.I.A. documents confirmed and filled in the details on abilities that have long been suspected in technical circles.

“The people who know a lot about security and hacking assumed that the C.I.A. was at least investing in these capabilities, and if they weren’t, then somebody else was — China, Iran, Russia, as well as a lot of other private actors,” said Beau Woods, the deputy director of the Cyber Statecraft Initiative at the Atlantic Council in Washington. He said the disclosures may raise concerns in the United States and abroad about “the trustworthiness of technology where cybersecurity can impact human life and public safety.”

There is no evidence that the C.I.A. hacking tools have been used against Americans. But Ben Wizner, the director of the American Civil Liberties Union’s Speech, Privacy, and Technology Project, said the documents suggest that the government has deliberately allowed vulnerabilities in phones and other devices to persist to make spying easier.

“Those vulnerabilities will be exploited not just by our security agencies, but by hackers and governments around the world,” Mr. Wizner said. “Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”

WikiLeaks did not identify the source of the documents, which it called Vault 7, but said they had been “circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

Get the Morning Briefing by EmailWhat you need to know to start your day, delivered to your inbox Monday through Friday.

WikiLeaks said the source, in a statement, set out policy questions that “urgently need to be debated in public, including whether the C.I.A.’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.” The source, the group said, “wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”

But James Lewis, an expert on cybersecurity at the Center for Strategic and International Studies in Washington, raised another possibility: that a foreign state, most likely Russia, stole the documents by hacking or other means and delivered them to WikiLeaks, which may not know how they were obtained. Mr. Lewis noted that, according to American intelligence agencies, Russia hacked Democratic targets during the presidential campaign and gave thousands of emails to WikiLeaks for publication.

“I think a foreign power is much more likely the source of these documents than a conscience-stricken C.I.A. whistle-blower,” Mr. Lewis said.

At a time of increasing concern about the privacy of calls and messages, the revelations did not suggest that the C.I.A. can actually break the encryption used by popular messaging apps. Instead, by penetrating the user’s phone, the agency can make the encryption irrelevant by intercepting messages and calls before their content is encrypted, or, on the other end, after messages are decrypted.

WikiLeaks, which has sometimes been accused of recklessly leaking information that could do harm, said it had redacted names and other identifying information from the collection. It said it was not releasing the computer code for actual, usable weapons “until a consensus emerges on the technical and political nature of the C.I.A.’s program and how such ‘weapons’ should be analyzed, disarmed and published.”

The codes names used for projects revealed in the WikiLeaks documents appear to reflect the likely demographic of the cyberexperts employed by the C.I.A. — that is, young and male. There are numerous references to “Harry Potter,” Pokémon and Adderall, the drug used to treat hyperactivity.

A number of projects were named after whiskey brands. Some were high-end single malt scotches, such as Laphroaig and Ardbeg. Others were from more pedestrian labels, such as Wild Turkey, which was described by its programmers, in mock dictionary style, as “(n.) A animal of the avian variety that has not been domesticated. Also a type of alcohol with a high proof (151).”

Some of the details of the C.I.A. programs might have come from the plot of a spy novel for the cyberage, revealing numerous highly classified — and, in some cases, exotic — hacking programs. One program, code-named Weeping Angel, uses Samsung “smart” televisions as covert listening devices. According to the WikiLeaks news release, even when it appears to be turned off, the television “operates as a bug, recording conversations in the room and sending them over the internet to a covert C.I.A. server.”

The release said the program was developed in cooperation with British intelligence.

If C.I.A. agents did manage to hack the smart TVs, they would not be the only ones. Since their release, internet-connected televisions have been a focus for hackers and cybersecurity experts, many of whom see the sets’ ability to record and transmit conversations as a potentially dangerous vulnerability.

In early 2015, Samsung started to include in the fine print terms of service for its smart TVs a warning that the television sets could capture background conversations. “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition,” the warning said.

Another program described in the documents, named Umbrage, is a voluminous library of cyberattack techniques that the C.I.A. has collected from malware produced by other countries, including Russia. According to the WikiLeaks release, the large number of techniques allows the C.I.A. to mask the origin of some of its attacks and confuse forensic investigators.

The WikiLeaks material includes lists of software tools that the C.I.A. uses to create exploits and malware to carrying out hacking. Many of the tools are those used by developers around the world: coding languages, such as Python, and tools like Sublime Text, a program used to write code, and Git, a tool that helps developers collaborate.

But the agency also appears to rely on software designed specifically for spies, such as Ghidra, which in one of the documents is described as “a reverse engineering environment created by the N.S.A.”

The Vault 7 release marks the latest in a series of huge leaks that have changed the landscape for government and corporate secrecy.

In scale, the Vault 7 archive appears to fall into the same category as the biggest leaks of classified information in recent years, including the quarter-million diplomatic cables taken by Chelsea Manning, the former Army intelligence analyst, and given to WikiLeaks in 2010, and the hundreds of thousands of National Security Agency documents taken by Mr. Snowden in 2013.

In the business world, the so-called Panama Papers and several other large-volume leaks have laid bare the details of secret offshore companies used by wealthy and corrupt people to hide their assets.

Both government and corporate leaks have been made possible by the ease of downloading, storing and transferring millions of documents in seconds or minutes, a sea change from the use of slow photocopying for some earlier leaks, including the Pentagon Papers in 1971.

I also read that this is the largest leak in Wikileaks' history. There are already more leaked documents than were released in the first three years of documents leaked by Snkwden.

I knew the CIA had hacking ability, but the sheer magnitude of this is astounding.

“There is no such thing as absolute privacy in America,” FBI director James Comey has declared.

“All of us have a reasonable expectation of privacy in our homes, in our cars, and in our devices. But it also means with good reason, in court, government through law enforcement can invade our private spaces,” Comey said at the conference on Wednesday. “Even our memories aren’t private. Any of us can be compelled to say what we saw … In appropriate circumstances, a judge can compel any of us to testify in court on those private communications.”

Experts pointed out that the CIA would need warrants to use the tools described – some of which would need physical access to the targeted device – so that the implications for privacy of the revelations were equivalent to traditional law enforcement wire taps.

But on the other hand, I also agree with this:

Democratic congressman Ted Lieu told the Guardian. “[the CIA arsenal of cyber weapons potentially being out there in the public domain] is very disturbing to anyone who cares about privacy ... It should also put to rest any argument about encryption back doors. You can’t just give encryption keys to the good guys and hope they don’t get to the bad guys. Our best protection is to have no security defects in the products we use.”

In the interest of the security of our nation and its people, the right thing for these agencies to do is obviously to locate vulnerabilities in digital systems, and then *immediately and proactively* work with companies to fix them. Any weakness, any security hole, is a bad thing for everyone who uses the broken service or device.

A government agency interested in the security of its people, should work hard to ensure that all vulnerabilities are identified and patched swiftly.

They should be developing worms that exploit vulnerabilities to enter the nation's systems to deploy patches to fix the discovered vulnerabilities.

(Not far off what has actually been tried. I think there was an anti-CodeRed version of CodeRed (or some other of that rough era), but due to insufficient testing across system variations it didn't fix the IIS vulnerabilities properly in most of its hosts, and may not have even have kept things only as bad as originally were all the time.)

More than anything else, and more than ever, trust is what binds the fabric of communities (of people and of machines) together. But there is a difference between "trusted" and "trustworthy". At its core, you cannot decide who should be trusted without yourself no longer being trustworthy.

That is the fundamental dilemma.

Jose

Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Please help addams if you can. She needs all of us.

Is there anything particularly surprising about the CIA's capabilities in the leaked documents? Wifi and auto-fill vulns are pretty commonplace. I don't find it particularly alarming or surprising that they have software to exploit that kind of thing.

The InfoSec people I follow have been spending more time have a good chuckle over the the secret CIA emoji than panicing about whether they've busted RSA.

ahammel wrote:Is there anything particularly surprising about the CIA's capabilities in the leaked documents? Wifi and auto-fill vulns are pretty commonplace. I don't find it particularly alarming or surprising that they have software to exploit that kind of thing.

Not really... I suppose some people are surprised by such a really large list, but there isn't much there that's all that surprising from a technical perspective. Almost everything they're talking about is based on commonly known exploits, and frankly I'd be more surprised if they weren't taking advantage of these things.

The InfoSec people I follow have been spending more time have a good chuckle over the the secret CIA emoji than panicing about whether they've busted RSA.

Nobody should be surprised that CIA has a wide range of exploits that they use; of course they do. It's their job.

Most of the real concern is over the fact that internal documents have been made public, by one or more people on the inside.

It is heartening to see that the courage displayed by Manning and Snowdon is alive and well in the wild. As more and more normal people come to understand that spying on people and controlling people is wrong, the wrongdoings of the bosses come to matter less and less. We will move towards more transparent government, and we will get to fully transparent government.

Instead of potentially confidential personal information being gathered for indiscriminate use by the intelligence agencies1, potentially confidential national security information is being gathered for indiscriminate use by who-knows-who...

Much better, eh?

1 Although I bet Google et al completely outclass them, at that game...

I honestly don't have a problem with the CIA having these capabilities. I'm not super computer-aided, but this sounds like the sort of thing I always assumed they could do. If anything it sounds a bit underwhelming.

My only problem has ever been the insistence that companies should *cooperate* with them to make their job easier, like the whole Apple v. FBI standoff.

I don't mind that the CIA can hack my computer, I just want them to have to WORK for it. And I want the option to, if I'm dedicated enough, make their job harder. Not that I actually have any reason to do that, but as a matter of principle, I should be allowed to make a safe as tough as I like. If they crack it, fine. But that's their job to pass or fail at.

Opus_723 wrote:I honestly don't have a problem with the CIA having these capabilities. I'm not super computer-aided, but this sounds like the sort of thing I always assumed they could do. If anything it sounds a bit underwhelming.

My only problem has ever been the insistence that companies should *cooperate* with them to make their job easier, like the whole Apple v. FBI standoff.

I don't mind that the CIA can hack my computer, I just want them to have to WORK for it. And I want the option to, if I'm dedicated enough, make their job harder. Not that I actually have any reason to do that, but as a matter of principle, I should be allowed to make a safe as tough as I like. If they crack it, fine. But that's their job to pass or fail at.

That doesn't touch the bigger issue: The government either leaves undiscovered weaknesses in the system, or forces companies to leave backdoors.

Opus_723 wrote:I honestly don't have a problem with the CIA having these capabilities. I'm not super computer-aided, but this sounds like the sort of thing I always assumed they could do. If anything it sounds a bit underwhelming.

My only problem has ever been the insistence that companies should *cooperate* with them to make their job easier, like the whole Apple v. FBI standoff.

I don't mind that the CIA can hack my computer, I just want them to have to WORK for it. And I want the option to, if I'm dedicated enough, make their job harder. Not that I actually have any reason to do that, but as a matter of principle, I should be allowed to make a safe as tough as I like. If they crack it, fine. But that's their job to pass or fail at.

That doesn't touch the bigger issue: The government either leaves undiscovered weaknesses in the system, or forces companies to leave backdoors.

Sure, but we knew they did that already. This dump doesn't add much to that conversation except to put it in the news again for a couple of cycles.

Opus_723 wrote:I honestly don't have a problem with the CIA having these capabilities. I'm not super computer-aided, but this sounds like the sort of thing I always assumed they could do. If anything it sounds a bit underwhelming.

My only problem has ever been the insistence that companies should *cooperate* with them to make their job easier, like the whole Apple v. FBI standoff.

I don't mind that the CIA can hack my computer, I just want them to have to WORK for it. And I want the option to, if I'm dedicated enough, make their job harder. Not that I actually have any reason to do that, but as a matter of principle, I should be allowed to make a safe as tough as I like. If they crack it, fine. But that's their job to pass or fail at.

That doesn't touch the bigger issue: The government either leaves undiscovered weaknesses in the system, or forces companies to leave backdoors.

I guess what I'm saying is that I can live with the first option. I don't necessarily think it needs to be the CIA's job to give me safe-building advice if they realize I built a crappy safe. Maybe it should be somebody's job, but that's a different matter.

It's the second option where they actually force vulnerabilities to exist in the first place that really concerns me.

Opus_723 wrote:I guess what I'm saying is that I can live with the first option. I don't necessarily think it needs to be the CIA's job to give me safe-building advice if they realize I built a crappy safe. Maybe it should be somebody's job, but that's a different matter.

Oh it definitely should be someone's job. It should be at least as high a priority as counter-terrorism.

The cost of cybercrime now stretches into the trillions of dollars. We're told that part of the reason drugs are bad is because it feeds money back to terrorists. Heck, we're told that part of the reason that copyright infringement is bad is because it feeds money back to terrorists. So shouldn't eliminating these vulnerabilities also be priority number one for the very same reason?

Maybe cybercrime is too diffuse a thing to really grab the headlines though, so let's pose a dramatic hypothetical.

Let's suppose that in a couple of decades' time, we're all riding around in automated vehicles which communicate transparently with one another to maximise traffic flow. And let's suppose that some terrorist group hacks the network resulting in a sudden catastrophic loss of life.

You say you 'don't necessarily think it needs to be the CIA's job to give me safe-building advice if they realize I built a crappy safe', but what if the CIA had discovered the vulnerability in question in the cars' networking - and kept it to themselves because it was useful to covertly track targets' movements?

Do they really share no culpability for not preventing the attack when they could have?

Did they have exclusive knowledge? Were these known exploits?Is it legal for the CIA to do it? Their brief is foreign intelligence and I believe they might be barred from doing as you suggest. I don't know the answer to those questions.

The obligation of the CIA is to keep us better informed than our adversaries and it would seem to be imperative to be able to operate in secrecy to do it. Is there a point where the need for secrecy is outweighed by the hazard to the public? Probably. But as a general rule I'm not sure that they should do so routinely. Ultimately the developers and their employers have the primary obligation.

Opus_723 wrote:I guess what I'm saying is that I can live with the first option. I don't necessarily think it needs to be the CIA's job to give me safe-building advice if they realize I built a crappy safe. Maybe it should be somebody's job, but that's a different matter.

Oh it definitely should be someone's job. It should be at least as high a priority as counter-terrorism.

The cost of cybercrime now stretches into the trillions of dollars. We're told that part of the reason drugs are bad is because it feeds money back to terrorists. Heck, we're told that part of the reason that copyright infringement is bad is because it feeds money back to terrorists. So shouldn't eliminating these vulnerabilities also be priority number one for the very same reason?

Maybe cybercrime is too diffuse a thing to really grab the headlines though, so let's pose a dramatic hypothetical.

Let's suppose that in a couple of decades' time, we're all riding around in automated vehicles which communicate transparently with one another to maximise traffic flow. And let's suppose that some terrorist group hacks the network resulting in a sudden catastrophic loss of life.

You say you 'don't necessarily think it needs to be the CIA's job to give me safe-building advice if they realize I built a crappy safe', but what if the CIA had discovered the vulnerability in question in the cars' networking - and kept it to themselves because it was useful to covertly track targets' movements?

Do they really share no culpability for not preventing the attack when they could have?

Yeah, I don't disagree with that. Requiring the CIA to be responsible for that task seems like an inherent conflict of interest within the department, though. But of course the CIA is one of the only agencies that would have that information in the first place.

Maybe we get two departments, one trying to discover vulnerabilities to exploit them and one trying to find them and patch them up, and we let them fight it out for eternity?

But then the new agency would just fix all of the CIA's security problems and the CIA would just try to steal all of the new agency's intel, so that's a bit unfair. =-p

If a government agency is going to be involved trying to make sure people's software vulnerabilities are in line, you'd probably do it via regulation in the software design rather than having some agency picking through code trying to find said vulnerabilities. I suspect this will actually be the way it goes for any automated cars since there is already precedent for transportation software (in the aviation industry). Automated cars will need to be built to X standard or simply not allowed on the roads. I guess its much more difficult with things like phones and TVs since there's no real heavy regulation that prevents new ones from being put onto the market (AFAIK).

Opus_723 wrote:I guess what I'm saying is that I can live with the first option. I don't necessarily think it needs to be the CIA's job to give me safe-building advice if they realize I built a crappy safe. Maybe it should be somebody's job, but that's a different matter.

Oh it definitely should be someone's job. It should be at least as high a priority as counter-terrorism.

Opus_723 wrote:I guess what I'm saying is that I can live with the first option. I don't necessarily think it needs to be the CIA's job to give me safe-building advice if they realize I built a crappy safe. Maybe it should be somebody's job, but that's a different matter.

Oh it definitely should be someone's job. It should be at least as high a priority as counter-terrorism.

IIRC, it's a large part of the NSA's job.

Government agencies will typically advise technology vendors about vulnerabilities that they perceive as posing some risk to the community at large, because that's in the best interest of the community. Particularly ones that are easy to exploit or that can cause a lot of damage. This works both ways; technology companies often share information about vulnerabilities with the government before sharing them with the public.

However, if the CIA (or any other agency) finds some exploit that it deems to be very difficult for others find, and to detect, and that gives them an advantage, you can be sure they're going to keep it to themselves. Because at the end of the day, the ability to gather data is what allows them to do their real jobs.